Monday, March 02, 2009

Conficker Author(s) Thinking Three Moves Ahead?

Trinity: "Where are you going?"
The Keymaker: "Another way. Always another way."
-The Matrix Reloaded

I can't help but feel that Conficker's author(s) are thinking some distance ahead of us. It was probably inevitable that the worm's pseudo-random domain name algorithm would produce a handful of existing, already registered domain names - names largely beyond the reach of the industry groups attempting to cut off the thing's control channel by registering and locking its domain names. Perhaps the worm's creator(s) expected us to lock the unregistered domains - knowing that they simply have to wait for the day the worm turns to a preexisting domain containing systems that they are able to take control of (or perhaps already have). In the month of March, for example, the worm's list includes a small number of pre-existing domains including these - as reported by Sophos at http://www.sophos.com/security/blog/2009/03/3457.htm

DOMAIN DATE
jogli dot com Big Web Great Music March 8
wnsux dot com Southwest Airlines March 13
qhflh dot com Women’s Net in Qinghai Province March 18
praat dot org Praat: doing phonetics by computer March 31

The good news is this is may present an easier method of detecting this bot's control channel. DNS servers may not log transactions by default - but most can enable logging - and I can't think of an off-the-shelf tool for alerting on DNS logs but this would not be difficult to script. Of course, these could easily be detected by an IDS rule as well (assuming IDS sensors are monitoring internal DNS traffic, particularly when DNS mitigation prevents the queries from traversing the perimeter). It would probably be a good idea to for sites to blackhole preexisting Conficker domains on the relevant days (or permanently); this might also make it easier to report on attempts to resolve the domain names, by reporting on names resolved to nowhere, depending on the DNS product used. AV vendors should be capable of providing lists of existing domains output by the worm's algorithm.

No comments: